panicked at 'attempt to add with overflow' #210

charlesxsh · 2021-10-02T17:40:56Z

with given input file:

and following code:

fn main(){
    let filepath = "<input file>";
    let data = std::fs::read(filepath).unwrap();

     let reader = xml::reader::EventReader::new(&data);
    for _ in reader.into_iter() {}


}

output:

thread 'main' panicked at 'attempt to add with overflow', /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:486:57
stack backtrace:
   0: rust_begin_unwind
   1: core::panicking::panic_fmt
   2: core::panicking::panic
   3: xml::reader::lexer::Lexer::doctype_finishing
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:486:57
   4: xml::reader::lexer::Lexer::dispatch_char
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:373:54
   5: xml::reader::lexer::Lexer::read_next_token
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:354:19
   6: xml::reader::lexer::Lexer::next_token
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/lexer.rs:312:24
   7: xml::reader::parser::PullParser::next
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/parser/mod.rs:262:19
   8: xml::reader::EventReader<R>::next
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/mod.rs:52:9
   9: <xml::reader::Events<R> as core::iter::traits::iterator::Iterator>::next
             at /home/szx5097/.cargo/registry/src/github.com-1ecc6299db9ec823/xml-rs-0.8.4/src/reader/mod.rs:113:22
  ...

expect: properly return error instead of panic

The text was updated successfully, but these errors were encountered:

oherrala · 2021-12-10T14:03:41Z

I think this is same issue I have reported to @netvl privately.

The function where integer overflow (and panic) occurs is

xml-rs/src/reader/lexer.rs

Lines 483 to 491 in 9c82a76

    
           /// State used while awaiting the closing bracket for the <!DOCTYPE tag 
        
           fn doctype_finishing(&mut self, c: char, d: u8) -> Result { 
        
               match c { 
        
                   '<' => self.move_to(State::DoctypeFinishing(d + 1)), 
        
                   '>' if d == 1 => self.move_to_with(State::Normal, Token::TagEnd), 
        
                   '>' => self.move_to(State::DoctypeFinishing(d - 1)), 
        
                   _ => Ok(None), 
        
               } 
        
           }

where with certain input file (hex dump below), the match case '<' (line 486) causes integer overflow in d + 1, probably when d = 255.

This case only panics when Rust's integer overflow checks are enabled, so usually in debug builds and not in release build. With release builds what probably happens is that the integer just silently overflows and things break in some other way.

This is a hex dump of my test case (found and minimized by cargo fuzz):

┌────────┬─────────────────────────┬─────────────────────────┬────────┬────────┐
│00000000│ 0a 3c 21 44 4f 43 54 59 ┊ 50 45 3c 65 3c 3c 6f 3c │_<!DOCTY┊PE<e<<o<│
│00000010│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000020│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000030│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000040│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000050│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000060│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000070│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000080│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000090│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000a0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000b0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000c0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000d0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000e0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│000000f0│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c 3c 3c 3c 3c 3c │<<<<<<<<┊<<<<<<<<│
│00000100│ 3c 3c 3c 3c 3c 3c 3c 3c ┊ 3c 3c 3c                │<<<<<<<<┊<<<     │
└────────┴─────────────────────────┴─────────────────────────┴────────┴────────┘

kornelski · 2023-05-10T22:21:49Z

Fixed

oherrala mentioned this issue Dec 10, 2021

Integer overflow in xml-rs crate rustsec/advisory-db#1121

Closed

xjewer mentioned this issue Aug 1, 2022

cargo fuzz harness cloudflare/svg-hush#2

Merged

pinkforest mentioned this issue Aug 14, 2022

Maintenance status RReverser/serde-xml-rs#180

Closed

kornelski closed this as completed May 10, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

panicked at 'attempt to add with overflow' #210

panicked at 'attempt to add with overflow' #210

charlesxsh commented Oct 2, 2021

oherrala commented Dec 10, 2021

kornelski commented May 10, 2023

panicked at 'attempt to add with overflow' #210

panicked at 'attempt to add with overflow' #210

Comments

charlesxsh commented Oct 2, 2021

oherrala commented Dec 10, 2021

kornelski commented May 10, 2023